Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

WEBINAR:On-Demand

On April 7, 2014, CVE-2014-0160, better known as Heartbleed, was publicly disclosed by the OpenSSL project, affecting millions of users and devices around the world. Today, two years to the day it was first reported, the vulnerability remains a risk, and the trend of branded vulnerabilities it created continues to have an impact.

OpenSSL is a widely deployed open-source technology used on endpoints, mobile devices and servers. The promise of OpenSSL is that it provides the Secure Sockets Layer/Transport Layer Security (SSL/TLS) cryptographic libraries necessary to secure data transport. With Heartbleed, however, the SSL/TLS could be decrypted, leaving users at risk. Heartbleed isn't just a theoretical risk; it has been used by hackers to attack government agencies, including Canada's Revenue Agency (CRA), as well the largest banks in the United States.

Although patches for Heartbleed have been available publicly for two years, the flaw is still a risk and likely still being exploited by attackers taking advantage of unpatched servers.

"There are many organizations that are still at risk because they don't know what their third-party vendors are implementing in products that they run on their network," Marcus Carey, founder and CTO of vThreat, told eWEEK. "People don't even know how many computers are connected to their networks, let alone what software is running on them."

Further reading

Georgia Weidman, founder and CTO at Shevirah, noted she regularly sees Heartbleed show up on Internet-facing systems during penetration tests and vulnerability assessments, from small clients to Fortune 100 companies.

"What people don't realize is that on many servers OpenSSL is the only means of protection of very sensitive data in transit," Weidman told eWEEK. "A known issue with proofs of concept and tutorials all over the Internet for how to exploit [the flaw]—that allows attackers to turn encrypted data back into plain text—is a major issue that should not be overlooked."

Among the many vendors that Heartbleed affected is Linux vendor Red Hat. Josh Bressers, security strategist at Red Hat, commented that all versions of Red Hat Enterprise Linux, CentOS and Fedora made available very quickly a fix for Heartbleed. Additionally, he noted that Red Hat has various automated checks that can help ensure a Red Hat customer isn't vulnerable to Heartbleed or any other fixed issue.

"If there are systems still vulnerable to Heartbleed out there, I would not expect them to be Red Hat systems," Bressers told eWEEK.

Among the many issues the Heartbleed incident highlighted was a need for more collaboration, resources and attention to securing open-source code. One of the key responses to Heartbleed came from the Linux Foundation in the form of the Core Infrastructure Initiative (CII), a group dedicated to improving open-source code security. During the last two years, CII has had an impact on helping improve security at the OpenSSL project to help prevent another Heartbleed-type incident.

"OpenSSL now has a well-known and published approach for how it will appropriately inform all interested parties of security advisories," Emily Ratliff, senior director of infrastructure security at The Linux Foundation, told eWEEK. "Even trivial patches must follow the review process."

Ratliff added that some reviews are very detailed and are discussed before going to a team vote. And, she said, there also have been a lot of great governance improvements in the OpenSSL project, some of which were certainly self-motivated yet supported by the CII grants.

"The OpenSSL code is now cleaner, more organized, and the OpenSSL team has set a goal to avoid releasing security fixes on Thursday/Friday," Ratliff said.

By submitting your information, you agree that eweek.com may send you eWEEK offers via email, phone and text message, as well as email offers about other products and services that eWEEK believes may be of interest to you. eWEEK will process your information in accordance with the Quinstreet Privacy Policy.

We ran into a problem

We already have your email address on file. Please use the "Forgot your password?" link to create a password, validate your email and login.